Danish Data Protection Watchdog Orders Schools to Stop Sending Student Data to Google

The Danish Data Protection Agency (Datatilsynet) has recently mandated a directive concerning transferring student data to Google via Google Workspace services and Chromebooks being used in schools across Denmark.

The issue is not new, however. About four years ago, Jesper Graugaard made the agency aware of its existence, voicing his concerns that student data is indiscriminately sent to Google without concern for potential repercussions or possible mishandling.

Student Data Transfers to Google Have No Legal Basis, Agency Rules

After thorough consideration, the agency ruled that transferring personal data to Google in its current form has no legal basis for all stated purposes, leading multiple Danish precincts to change how they process and share data.

As part of the recent modifications, local authorities are instructed to:

• Stop sending students’ personal data to Google for specific purposes unless a clear legal basis for the data transfers is established
• Assess the handling of personal data prior to using platforms like Google Workspace and maintain records of the used data
• Ensure that Google doesn’t use any of the received data for purposes not in line with compliance standards

Datatilsynet further elaborated that the company may use student data to provide educational services as part of the Google Workspace platform, enhance the reliability and security of the services, fulfill legal obligations and facilitate communication.

Data Collection for Service Improvement No Longer Permitted

The agency decided that purposes like performance measurements, new feature development, as well as maintaining and improving products such as ChromeOS, the Chrome browser, and Google Workspace for Education fall under non-permissible cases.

While Datatilsynet doesn’t necessarily ban Google services and products from schools across the country, the agency’s decision may hamper the company’s collection of personal data.

Schools May Need to Give Up on Google Services

On the other hand, it may prove daunting for local authorities to prove they’re compliant with Datatilsynet’s decision without relinquishing access to Google services such as the Workspace or Chromebooks.

Municipalities must explicitly declare how they intend to adhere to the new regulations by March 1 and adjust their data processing practices accordingly until Aug 1.